diff options
author | ale <ale@FreeBSD.org> | 2006-10-16 17:30:58 +0800 |
---|---|---|
committer | ale <ale@FreeBSD.org> | 2006-10-16 17:30:58 +0800 |
commit | b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef (patch) | |
tree | ce726f126e5db262557c17b8ebd4c326b332d0d6 /lang | |
parent | d738d27d48f69016909b9b76d85be1cc2a311b3b (diff) | |
download | freebsd-ports-gnome-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.tar.gz freebsd-ports-gnome-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.tar.zst freebsd-ports-gnome-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.zip |
- fix open_basedir vulnerability in php4 and php5 [1]
- add an alert on safe_mode intrinsic insecurity and
suggest to install the suhosin extension
- enable the suhosin patch by deafult also in php4
Submitted by: Thomas Vogt <thomas@bsdunix.ch> [1]
Obtained from: PHP CVS [1]
Approved by: portmgr (clement)
Diffstat (limited to 'lang')
-rw-r--r-- | lang/php4/Makefile | 6 | ||||
-rw-r--r-- | lang/php4/files/patch-ext_standard_dir.c | 20 | ||||
-rw-r--r-- | lang/php4/files/patch-main_php_open_temporary_file.c | 43 | ||||
-rw-r--r-- | lang/php4/files/patch-php.ini-dist | 18 | ||||
-rw-r--r-- | lang/php4/files/patch-php.ini-recommended | 18 | ||||
-rw-r--r-- | lang/php5/Makefile | 2 | ||||
-rw-r--r-- | lang/php5/files/patch-ext_standard_dir.c | 20 | ||||
-rw-r--r-- | lang/php5/files/patch-main_php_open_temporary_file.c | 43 | ||||
-rw-r--r-- | lang/php5/files/patch-php.ini-dist | 18 | ||||
-rw-r--r-- | lang/php5/files/patch-php.ini-recommended | 18 | ||||
-rw-r--r-- | lang/php53/Makefile | 2 | ||||
-rw-r--r-- | lang/php53/files/patch-ext_standard_dir.c | 20 | ||||
-rw-r--r-- | lang/php53/files/patch-main_php_open_temporary_file.c | 43 | ||||
-rw-r--r-- | lang/php53/files/patch-php.ini-dist | 18 | ||||
-rw-r--r-- | lang/php53/files/patch-php.ini-recommended | 18 |
15 files changed, 302 insertions, 5 deletions
diff --git a/lang/php4/Makefile b/lang/php4/Makefile index 165cacf8d818..6d8269cb5da8 100644 --- a/lang/php4/Makefile +++ b/lang/php4/Makefile @@ -7,7 +7,7 @@ PORTNAME= php4 PORTVERSION= 4.4.4 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \ http://downloads.php.net/ilia/:rc \ @@ -37,7 +37,7 @@ OPTIONS= CLI "Build CLI version" on \ CGI "Build CGI version" on \ APACHE "Build Apache module" off \ DEBUG "Enable debug" off \ - SUHOSIN "Enable Suhosin protection system" off \ + SUHOSIN "Enable Suhosin protection system" on \ MULTIBYTE "Enable zend multibyte support" off \ IPV6 "Enable ipv6 support" on \ REDIRECT "Enable force-cgi-redirect support (CGI only)" off \ @@ -53,7 +53,7 @@ MAN1= php-config.1 phpize.1 .include <bsd.port.pre.mk> -.if defined(WITH_SUHOSIN) +.if !defined(WITHOUT_SUHOSIN) PATCHFILES= suhosin-patch-${PORTVERSION}-0.9.5.patch.gz PATCH_SITES= http://www.hardened-php.net/suhosin/_media/ PATCH_DIST_STRIP= -p1 diff --git a/lang/php4/files/patch-ext_standard_dir.c b/lang/php4/files/patch-ext_standard_dir.c new file mode 100644 index 000000000000..ef819306883b --- /dev/null +++ b/lang/php4/files/patch-ext_standard_dir.c @@ -0,0 +1,20 @@ +--- ext/standard/dir.c.orig Mon Oct 16 06:59:56 2006 ++++ ext/standard/dir.c Mon Oct 16 07:00:06 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: dir.c,v 1.109.2.18.2.2 2006/01/01 13:46:57 sniper Exp $ */ ++/* $Id: dir.c,v 1.109.2.18.2.3 2006/10/04 23:20:02 iliaa Exp $ */ + + /* {{{ includes/startup/misc */ + +@@ -275,7 +275,7 @@ + RETURN_FALSE; + } + +- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) { ++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { + RETURN_FALSE; + } + ret = VCWD_CHDIR(str); diff --git a/lang/php4/files/patch-main_php_open_temporary_file.c b/lang/php4/files/patch-main_php_open_temporary_file.c new file mode 100644 index 000000000000..1af8a22b5a6e --- /dev/null +++ b/lang/php4/files/patch-main_php_open_temporary_file.c @@ -0,0 +1,43 @@ +--- main/php_open_temporary_file.c.orig Mon Oct 16 07:26:57 2006 ++++ main/php_open_temporary_file.c Mon Oct 16 07:27:01 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_open_temporary_file.c,v 1.18.2.10.2.3 2006/05/23 23:23:39 iliaa Exp $ */ ++/* $Id: php_open_temporary_file.c,v 1.18.2.10.2.6 2006/10/13 01:12:11 iliaa Exp $ */ + + #include "php.h" + +@@ -207,6 +207,7 @@ + PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC) + { + int fd; ++ const char *temp_dir; + + if (!pfx) { + pfx = "tmp."; +@@ -215,11 +216,22 @@ + *opened_path_p = NULL; + } + ++ if (!dir || *dir == '\0') { ++def_tmp: ++ temp_dir = php_get_temporary_directory(); ++ ++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) { ++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC); ++ } else { ++ return -1; ++ } ++ } ++ + /* Try the directory given as parameter. */ + fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC); + if (fd == -1) { + /* Use default temporary directory. */ +- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC); ++ goto def_tmp; + } + return fd; + } diff --git a/lang/php4/files/patch-php.ini-dist b/lang/php4/files/patch-php.ini-dist new file mode 100644 index 000000000000..5ba593157aab --- /dev/null +++ b/lang/php4/files/patch-php.ini-dist @@ -0,0 +1,18 @@ +--- php.ini-dist.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-dist Mon Oct 16 08:12:28 2006 +@@ -155,6 +155,15 @@ + + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we always recommend to install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when diff --git a/lang/php4/files/patch-php.ini-recommended b/lang/php4/files/patch-php.ini-recommended new file mode 100644 index 000000000000..a2baecd55e4f --- /dev/null +++ b/lang/php4/files/patch-php.ini-recommended @@ -0,0 +1,18 @@ +--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-recommended Mon Oct 16 08:13:05 2006 +@@ -169,6 +169,15 @@ + ; + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we recommend to always install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when diff --git a/lang/php5/Makefile b/lang/php5/Makefile index e0d2013da065..90bd0d34af2c 100644 --- a/lang/php5/Makefile +++ b/lang/php5/Makefile @@ -7,7 +7,7 @@ PORTNAME= php5 PORTVERSION= 5.1.6 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \ http://downloads.php.net/ilia/:rc \ diff --git a/lang/php5/files/patch-ext_standard_dir.c b/lang/php5/files/patch-ext_standard_dir.c new file mode 100644 index 000000000000..58a6bccb9cfe --- /dev/null +++ b/lang/php5/files/patch-ext_standard_dir.c @@ -0,0 +1,20 @@ +--- ext/standard/dir.c.orig Mon Oct 16 07:08:36 2006 ++++ ext/standard/dir.c Mon Oct 16 07:08:40 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: dir.c,v 1.147.2.3 2006/02/26 10:49:50 helly Exp $ */ ++/* $Id: dir.c,v 1.147.2.3.2.1 2006/10/04 23:19:25 iliaa Exp $ */ + + /* {{{ includes/startup/misc */ + +@@ -286,7 +286,7 @@ + RETURN_FALSE; + } + +- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) { ++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { + RETURN_FALSE; + } + ret = VCWD_CHDIR(str); diff --git a/lang/php5/files/patch-main_php_open_temporary_file.c b/lang/php5/files/patch-main_php_open_temporary_file.c new file mode 100644 index 000000000000..85f7c51ab47d --- /dev/null +++ b/lang/php5/files/patch-main_php_open_temporary_file.c @@ -0,0 +1,43 @@ +--- main/php_open_temporary_file.c.orig Mon Oct 16 07:21:14 2006 ++++ main/php_open_temporary_file.c Mon Oct 16 07:22:00 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_open_temporary_file.c,v 1.34.2.2 2006/05/23 23:22:26 iliaa Exp $ */ ++/* $Id: php_open_temporary_file.c,v 1.34.2.1.2.4 2006/10/13 01:11:30 iliaa Exp $ */ + + #include "php.h" + +@@ -206,6 +206,7 @@ + PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC) + { + int fd; ++ const char *temp_dir; + + if (!pfx) { + pfx = "tmp."; +@@ -214,11 +215,22 @@ + *opened_path_p = NULL; + } + ++ if (!dir || *dir == '\0') { ++def_tmp: ++ temp_dir = php_get_temporary_directory(); ++ ++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) { ++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC); ++ } else { ++ return -1; ++ } ++ } ++ + /* Try the directory given as parameter. */ + fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC); + if (fd == -1) { + /* Use default temporary directory. */ +- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC); ++ goto def_tmp; + } + return fd; + } diff --git a/lang/php5/files/patch-php.ini-dist b/lang/php5/files/patch-php.ini-dist new file mode 100644 index 000000000000..6d84f3a80891 --- /dev/null +++ b/lang/php5/files/patch-php.ini-dist @@ -0,0 +1,18 @@ +--- php.ini-dist.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-dist Mon Oct 16 08:12:28 2006 +@@ -165,6 +165,15 @@ + + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we always recommend to install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when diff --git a/lang/php5/files/patch-php.ini-recommended b/lang/php5/files/patch-php.ini-recommended new file mode 100644 index 000000000000..7b648b1ea0b5 --- /dev/null +++ b/lang/php5/files/patch-php.ini-recommended @@ -0,0 +1,18 @@ +--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-recommended Mon Oct 16 08:13:05 2006 +@@ -223,6 +223,15 @@ + ; + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we recommend to always install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when diff --git a/lang/php53/Makefile b/lang/php53/Makefile index e0d2013da065..90bd0d34af2c 100644 --- a/lang/php53/Makefile +++ b/lang/php53/Makefile @@ -7,7 +7,7 @@ PORTNAME= php5 PORTVERSION= 5.1.6 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \ http://downloads.php.net/ilia/:rc \ diff --git a/lang/php53/files/patch-ext_standard_dir.c b/lang/php53/files/patch-ext_standard_dir.c new file mode 100644 index 000000000000..58a6bccb9cfe --- /dev/null +++ b/lang/php53/files/patch-ext_standard_dir.c @@ -0,0 +1,20 @@ +--- ext/standard/dir.c.orig Mon Oct 16 07:08:36 2006 ++++ ext/standard/dir.c Mon Oct 16 07:08:40 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: dir.c,v 1.147.2.3 2006/02/26 10:49:50 helly Exp $ */ ++/* $Id: dir.c,v 1.147.2.3.2.1 2006/10/04 23:19:25 iliaa Exp $ */ + + /* {{{ includes/startup/misc */ + +@@ -286,7 +286,7 @@ + RETURN_FALSE; + } + +- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) { ++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { + RETURN_FALSE; + } + ret = VCWD_CHDIR(str); diff --git a/lang/php53/files/patch-main_php_open_temporary_file.c b/lang/php53/files/patch-main_php_open_temporary_file.c new file mode 100644 index 000000000000..85f7c51ab47d --- /dev/null +++ b/lang/php53/files/patch-main_php_open_temporary_file.c @@ -0,0 +1,43 @@ +--- main/php_open_temporary_file.c.orig Mon Oct 16 07:21:14 2006 ++++ main/php_open_temporary_file.c Mon Oct 16 07:22:00 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_open_temporary_file.c,v 1.34.2.2 2006/05/23 23:22:26 iliaa Exp $ */ ++/* $Id: php_open_temporary_file.c,v 1.34.2.1.2.4 2006/10/13 01:11:30 iliaa Exp $ */ + + #include "php.h" + +@@ -206,6 +206,7 @@ + PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC) + { + int fd; ++ const char *temp_dir; + + if (!pfx) { + pfx = "tmp."; +@@ -214,11 +215,22 @@ + *opened_path_p = NULL; + } + ++ if (!dir || *dir == '\0') { ++def_tmp: ++ temp_dir = php_get_temporary_directory(); ++ ++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) { ++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC); ++ } else { ++ return -1; ++ } ++ } ++ + /* Try the directory given as parameter. */ + fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC); + if (fd == -1) { + /* Use default temporary directory. */ +- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC); ++ goto def_tmp; + } + return fd; + } diff --git a/lang/php53/files/patch-php.ini-dist b/lang/php53/files/patch-php.ini-dist new file mode 100644 index 000000000000..6d84f3a80891 --- /dev/null +++ b/lang/php53/files/patch-php.ini-dist @@ -0,0 +1,18 @@ +--- php.ini-dist.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-dist Mon Oct 16 08:12:28 2006 +@@ -165,6 +165,15 @@ + + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we always recommend to install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when diff --git a/lang/php53/files/patch-php.ini-recommended b/lang/php53/files/patch-php.ini-recommended new file mode 100644 index 000000000000..7b648b1ea0b5 --- /dev/null +++ b/lang/php53/files/patch-php.ini-recommended @@ -0,0 +1,18 @@ +--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-recommended Mon Oct 16 08:13:05 2006 +@@ -223,6 +223,15 @@ + ; + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we recommend to always install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when |